-
ng authored
The `Mail::Gpg.signed?` method raises an error if it didn't detect any signature, but detects the PGP boundaries in the body. This becomes a problem if folks include any kind of PGP boundaries for an encrypted message in their body. This can e.g. happen if you try to describe how PGP works, include another PGP signed message in your mail (e.g. don't want to have even schleuder access to your mail content), you have a MUA with problematic quoting behavior or you simply forward an email with PGP boundaries, which you e.g. might have received through Schleuder's admin notification. This patch addresses these cases by a) checking if the decrypted mail had any signatures on it and so we already verified signatures and b) using the detection methods directly, so we don't run into raising the encryption of better using `.decrypt`. 2 tests are included to demonstrate the problematic behavior and which should cover the 2 main cases described in the bug report. These changes have the side effect, that we won't anymore verify any signatures within an email that already had a signature as part of the encrypted blob. This can be seen, e.g. that we need to change the test for the `x-sign-this` keyword, as a side-effect of using schleuder to decrypt the mail sent by schleuder, we had also the signature of the signed blob stripped away. Actually, we were testing for the wrong thing in this test anyway.
ff264ef8
To find the state of this project's repository at the time of any of these versions, check out the tags.